# CSRF Protection

To learn about cross-site request forgeries, see Laravel docs (opens new window).

Lighthouse provides mitigation against CSRF attacks through the Nuwave\Lighthouse\Support\Http\Middleware\EnsureXHR middleware. Just add it as the first middleware for the Lighthouse route in config/lighthouse.php:

    'route' => [
        // ...
        'middleware' => [

            // ... other middleware

It forbids:

  • GET requests
  • POST requests that can be created using HTML forms

It allows:

  • other request methods
  • POST requests with the header X-Requested-With: XMLHttpRequest
  • POST requests with a Content-Type that can not be set from HTML forms


  • Old browsers (IE 9, Opera 12) don't support XHR requests
  • You won't be able to use GraphQL queries through GET requests or HTML forms